New TrickBot Variant Updates Anti-Analysis Tricks


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.

“In this post, we detailed how this TrickBot fresh variant works in a victim’s machine, what technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its C&C server to download the modules,” said Xiaopeng Zhang with Fortinet’s FortiGuard Labs threat team in a Monday analysis.

Researchers discovered the latest variant in a malicious Word document, which they believe is part of a phishing campaign. When the malicious Word document is opened, it asks the victim to “Enable Content,” which then executes a malicious Macro (in VBA code) is executed. The VBA code then extracts a file (“C:\AprilReport\List1.jse”) which eventually runs a huge JavaScript file called “List1.jse.”

Researchers listed a number of anti-analysis techniques utilized by this JavaScript file, including heavy obfuscation to protect the API function calls and constant strings associated with the malware’s attack chain from being identified.

In new behavior for this variant, once executed, the JavaScript code first waits for about one minute. This behavior makes it seem inert, helping it to bypass any auto-analysis tools, researchers said. After waiting, the JavaScript file then executes a command (“Select * from Win32_Process”) to obtain all running processes on the victim’s system. It then puts all of the names of these obtained processes together and checks to see if its length is less than 3,100 – another new anti-analysis functionality, researchers said.

“If [the length is less than 3,100], it will raise an exception and close,” researchers said. “Usually, on a real computer, this length is larger than 3100. In this measure, it is better able to bypass many auto-analysis systems, including Sandboxes and Virtual Machines.”